Some of the best things you can do to harden and secure your WordPress site to secure!
Latest SUCURI report shows one or more vulnerabilities infected 90% of WordPress sites.
I see hundreds of questions/concern every month in Facebook Group, Stack Overflow regarding website got hacked/malware-infected. I am not surprised.
Website security is as important as your content and SEO, and one should do whatever it takes to keep the online business safe and secure. There are multiple approaches to tightening your WordPress; however, following you will learn the practical ideas which I do, and I hope it will be helpful to you.
WP Hardening & Security Tips
Brute Force attack is one of the old techniques to constantly try to get into the WordPress admin with many user/password combination. By going passwordless, you are not leaving any option for a hacker to attempt a login. Wondering how does it work?
Let me show you.
The default WordPress login window looks like:
When you go passwordless, you will not have the option to enter the user and password; instead, you will need to authenticate with your phone. It’s simple and convenient.
UNLOQ has WordPress plugin too, which let you replace the password with your phone. UNLOQ use TLS over the communication, and data is encrypted with an AES-256-CBC algorithm.
You can have up to 100 users with unlimited authentication in FREE, which is more than enough for WordPress admin login.
Not convinced with the passwordless solution?
No worries, try two-factor authentication – better than just a regular credential.
Have Solid Backup Strategy
Backup is your friend!
When things go wrong, and nothing works, then, a backup will come for a rescue.
There could be many things go wrong with the following.
- Messed up with the configuration
- Files got deleted
- Website got hacked
- You installed some plugin and then site broken
- Site is broken after updating WordPress/Theme/Plugins
If you are unable to fix or taking a long time to put your online business operational, then you can consider restoring your website from the backup.
Most of the WP hosting platform provides daily backup, so you are okay. However, if you are with some other web hosting, then you may want to check the backup they provide.
If you are on VPS like DIgitalOcean or Linode, then the backup is not enabled by default, and they charge around 20% of your VPS plan. So if you are on $10 plan, you need to pay an additional $2 for the backup.
Trust me; it’s worth it. There were many situations when I had no option than restoring Geekflare from the backup.
If you are hosting on a cloud-like AWS, Google Cloud, then you must consider taking snapshot regularly or use a third-party backup tool. If you have a backup with web hosting then I don’t see any reason to use the backup plugin, but in case you want, here are some of the popular free backup & restore plugins for WordPress.
Active installed over 2 million says a lot. Updraft Plus let you backup your website data in a cloud-like Amazon S3, Google Drive, Dropbox, FTP, etc.
Whenever you need to restore, you are just a click away.
BlogVault is a premium plugin and trusted by more than 400,000 sites owner. Some of the features include the following.
- Automatic real-time backup and archive for 365 days
- One-click staging site and recovery
- Use for migration
- Cloud-backup option
Don’t settle anything less than a daily backup.
Use WAF/Security Plugin
The default WordPress installation may expose configuration/information and can be vulnerable if not harden properly. There are many security-related plugins available, so pick what you like but ensure it cover the following.
- Change Admin URL – WordPress admin is accessible by default as wp-login.php, and the whole world knows about it.
So if you know a site is built on WordPress, then you can try to access admin URL by adding wp-login.php and do the nasty things in trying to get into, etc. It will be a good idea to change the admin URL from wp-login.php to something else.
- Spam Protection – don’t let your site get full of spam comments, emails.
- Block suspicious request – don’t entertain the malicious request, script execution
- Implement Security HTTP Header – protect from clickjacking, secure cookie, XSS attack, etc. by injecting necessary parameters in HTTP response headers.
Let’s take a look at the top security plugins.
Wordfence is loved by over three million websites and has tons of features, including the following.
- WordPress Firewall
- Blocking Features
- Login Security
- Security Scanning
- IPv6 Compatible
iThemes, a premium security solution. It helps you to protect your website from more than 30 types of attacks.
The configuration is easy, and it offers comprehensive security protection.
Shield a.k.a. WordPress Simple Firewall is simply awesome and gives you almost everything you need for FREE.
I have used this plugin and love the dashboard and comprehensive features — worth giving a try.
Use Cloud-based Security
Security/firewall by WordPress plugin is good, but it’s still within WordPress and protection starts when the request reaches to WordPress.
If you are looking to have additional protection, then you must consider using cloud-based security. Security from cloud protects and block the attackers from the edge of the network. Most of the cloud-based security provider also offers you a CDN (Content Delivery Network) to make your website load faster.
Some of the popular CDN & Security providers are:
One of the industry leaders in providing website security and high-performing CDN for better performance and security.
SUCURI offers dual benefits – security and performance with single pricing. Protection against OWASP top 10 vulnerabilities, DDoS, WordPress specific threats, brute force attacks, and a lot more.
The list won’t be complete without including Cloudflare. One of the most popular CDN & Security provider to make your website secure and speedy.
Take a look at the plan details for features comparison — some of the worth mentioning features of Cloudflare.
- Global CDN
- FREE SSL Certificate
- HTTP/2, WebSockets, IPv6 support
- DNSSEC, cache purge, custom rules
- Comment spam, content scraping, OWASP WAF, DDoS protection
SUCURI says 55% of an infected website had out-of-date WordPress.
Having an old version of WordPress, plugin, a theme may be vulnerable, and as a best practice, you should keep an eye on the vulnerable plugins and patch on priority. You may subscribe to the WP Scan Vulnerability Database for an email alert, so you know if used plugin/WordPress/theme are vulnerable.
Security is an on-going process instead of a one-time setup and forget it. Sometimes it is better to offload the headache to the expert by going for a premium solution. If you can do the above by yourself then its good else you may consider WP support and maintenance service like WP Buffs.